HIPAA Covered Entities

Individuals, organisations, and agencies that meet the HIPAA definition of a covered entity must comply with the Rules’ requirements to protect the privacy and security of health information, must provide individuals with certain health information rights. If a covered entity employ a business associate to facilitate it in carrying out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that specifies what the business associate has been employed to do and requires the business associate to adhere to the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules.

A covered entity is one of the following:

 

A Health Care Provider

A Health Plan

A Health Care Clearinghouse

This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

..but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.